Cisco IOS NetFlow Version 9 Flow-Record Format

Transcription

1 Cisco IOS NetFlow Version 9 Flow-Record Format Last updated: February 007 Overview Cisco IOS NetFlow services provide network administrators with access to information concerning IP flows within their data networks Exported NetFlow data can be used for a variety of purposes, including network management and planning, enterprise accounting, and departmental chargebacks, Internet Service ppovider (ISP) billing, data warehousing, combating Denial of Service (DoS) attacks, and data mining for marketing purposes The basic output of NetFlow is a flow record Several different formats for flow records have evolved as NetFlow has matured The most recent evolution of the NetFlow flow-record format is known as Version 9 The distinguishing feature of the NetFlow Version 9 format is that it is template based Templates provide an extensible design to the record format, a feature that should allow future enhancements to NetFlow services without requiring concurrent changes to the basic flow-record format Using templates provides several key benefits: Third-party business partners who produce applications that provide collector or display services for NetFlow will not be required to recompile their applications each time a new NetFlow feature is added; instead, they may be able to use an external data file that documents the known template formats New features can be added to NetFlow more quickly, without breaking current implementations NetFlow is future-proofed against new or developing protocols, because the Version 9 format can be adapted to provide support for them Terminology Used in This Document One of the difficulties in describing the NetFlow Version 9 packet format occurs because many distinctly different, but similar-sounding, terms are used to describe portions of the NetFlow output To eliminate any confusion, these terms are described below: Export packet Built by a device (for example, a router) with NetFlow services enabled, this type of packet is addressed to another device (for example, a NetFlow collector) This other device processes the packet (parses, aggregates, and stores information on IP flows) Packet header the first part of an export packet, the packet header provides basic information about the packet, such as the NetFlow version, number of records contained within the packet, and sequence numbering, enabling lost packets to be detected FlowSet following the packet header, an export packet contains information that must be parsed and interpreted by the collector device A FlowSet is a generic term for a collection of records that follow the packet header in an export packet There are two different types of FlowSets: template and data An export packet contains one or more FlowSets, and both template and data FlowSets can be mixed within the same export packet All contents are Copyright Cisco Systems, Inc All rights reserved This document is Cisco Public Information Page of 3

2 Template FlowSet a template FlowSet is a collection of one or more template records that have been grouped together in an export packet Template record a template record is used to define the format of subsequent data records that may be received in current or future export packets It is important to note that a template record within an export packet does not necessarily indicate the format of data records within that same packet A collector application must cache any template records received, and then parse any data records it encounters by locating the appropriate template record within the cache Template ID the template ID is a unique number that distinguishes this template record from all other template records produced by the same export device A collector application that is receiving export packets from several devices should be aware that uniqueness is not guaranteed across export devices Thus, the collector should also cache the address of the export device that produced the template ID in order to enforce uniqueness Data FlowSet a data FlowSet is a collection of one or more data records that have been grouped together in an export packet Data record A data record provides information about an IP flow that exists on the device that produced an export packet Each group of data records (that is, each data FlowSet) references a previously transmitted template ID, which can be used to parse the data contained within the records Options template an options template is a special type of template record used to communicate the format of data related to the NetFlow process Options data record the options data record is a special type of data record (based on an options template) with a reserved template ID that provides information about the NetFlow process itself NetFlow Version 9 Packet Layout The NetFlow Version 9 record format consists of a packet header followed by at least one or more template or data FlowSets A template FlowSet provides a description of the fields that will be present in future data FlowSets These data FlowSets may occur later within the same export packet or in subsequent export packets Template and data FlowSets can be intermingled within a single export packet, as illustrated in Table Table NetFlow Version 9 Export Packet Packet Header Template FlowSet Data FlowSet Data FlowSet Template FlowSet Data FlowSet The possible combinations that can occur in an export packet follow: An export packet that consists of interleaved template and data FlowSets A collector device should not assume that the template IDs defined in such a packet have any specific relationship to the data FlowSets within the same packet The collector must always cache any received templates, and examine the template cache to determine the appropriate template ID to interpret a data record An export packet consisting entirely of data FlowSets after the appropriate template IDs have been defined and transmitted to the collector device, most of the export packets will consist solely of data FlowSets All contents are Copyright Cisco Systems, Inc All rights reserved This document is Cisco Public Information Page of 3

3 An export packet consisting entirely of template FlowSets although this case is the exception, it is possible to receive packets containing only template records Ordinarily, templates are piggybacked onto data FlowSets However, in some instances only templates are sent When a router first boots up or reboots, it attempts to synchronize with the collector device as quickly as possible The router may send template FlowSets at an accelerated rate so that the collector device has sufficient information to interpret any subsequent data FlowSets Also, template records have a limited lifetime, and they must be periodically refreshed If the refresh interval for a template occurs and there is no appropriate data FlowSet that needs to be sent to the collector device, an export packet consisting solely of template FlowSets is sent The format of both template and data FlowSets is discussed later in this document NetFlow Version 9 Packet Header Format The format of the NetFlow Version 9 packet header remains relatively unchanged from previous versions It is based on the NetFlow Version 5 packet header and is illustrated in Table Table 3 gives field descriptions Table NetFlow Version 9 Packet Header Format Version Count System Uptime UNIX Seconds Package Sequence Source ID Table 3 Field Name Version Count NetFlow Version 9 Packet Header Field Descriptions Value The version of NetFlow records exported in this packet; for Version 9, this value is 0x0009 Number of FlowSet records (both template and data) contained within this packet System Uptime Time in milliseconds since this device was first booted UNIX Seconds Seconds since 0000 Coordinated Universal Time (UTC) 970 Sequence Number Source ID Incremental sequence counter of all export packets sent by this export device; this value is cumulative, and it can be used to identify whether any export packets have been missed Note: This is a change from the NetFlow Version 5 and Version 8 headers, where this number represented total flows The Source ID field is a 3-bit value that is used to guarantee uniqueness for all flows exported from a particular device (The Source ID field is the equivalent of the engine type and engine ID fields found in the NetFlow Version 5 and Version 8 headers) The format of this field is vendor specific In the Cisco implementation, the first two bytes are reserved for future expansion, and will always be zero Byte 3 provides uniqueness with respect to the routing engine on the exporting device Byte 4 provides uniqueness with respect to the particular line card or Versatile Interface Processor on the exporting device Collector devices should use the combination of the source IP address plus the Source ID field to associate an incoming NetFlow export packet with a unique instance of NetFlow on a particular device Other values that existed in the NetFlow Version 5 and Version 8 packet headers (such as sampling interval and aggregation scheme) are sent in a reserved options data record The format of the options template and options data record is discussed later in this document All contents are Copyright Cisco Systems, Inc All rights reserved This document is Cisco Public Information Page 3 of 3

4 NetFlow Version 9 Template FlowSet Format One of the key elements in the new NetFlow Version 9 format is the template FlowSet Templates greatly enhance the flexibility of the NetFlow record format, because they allow a NetFlow collector or display application to process NetFlow data without necessarily knowing the format of the data in advance Templates are used to describe the type and length of individual fields within a NetFlow data record that match a template ID The format of the template FlowSet is described in Table 4, and the field descriptions are given in Table 5 Table 4 NetFlow Version 9 Template FlowSet Format FlowSet ID = 0 Length Template ID Field Count Field Type Field Length Field Type Field Length Field N Type Field N Length Template ID Field Count Field Type Field Length Field Type Field Length Field N Type Field N Length All contents are Copyright Cisco Systems, Inc All rights reserved This document is Cisco Public Information Page 4 of 3

5 Table 5 Field Name FlowSet ID Length Template ID Field Count Field Type Field Length NetFlow Version 9 Template FlowSet Field Descriptions Value The FlowSet ID is used to distinguish template records from data records A template record always has a FlowSet ID in the range of 0-55 Currently, the template record that describes flow fields has a FlowSet ID of zero and the template record that describes option fields (described below) has a FlowSet ID of A data record always has a nonzero FlowSet ID greater than 55 Length refers to the total length of this FlowSet Because an individual template FlowSet may contain multiple template IDs (as illustrated above), the length value should be used to determine the position of the next FlowSet record, which could be either a template or a data FlowSet Length is expressed in Type/Length/Value (TLV) format, meaning that the value includes the bytes used for the FlowSet ID and the length bytes themselves, as well as the combined lengths of all template records included in this FlowSet As a router generates different template FlowSets to match the type of NetFlow data it will be exporting, each template is given a unique ID This uniqueness is local to the router that generated the template ID Templates that define data record formats begin numbering at 56 since 0-55 are reserved for FlowSet IDs This field gives the number of fields in this template record Because a template FlowSet may contain multiple template records, this field allows the parser to determine the end of the current template record and the start of the next This numeric value represents the type of the field The possible values of the field type are vendor specific Cisco supplied values are consistent across all platforms that support NetFlow Version 9 At the time of the initial release of the NetFlow Version 9 code (and after any subsequent changes that could add new field-type definitions), Cisco provides a file that defines the known field types and their lengths The currently defined field types are detailed in Table 6 This number gives the length of the above-defined field, in bytes Note the following: Template IDs are not consistent across a router reboot Template IDs should change only if the configuration of NetFlow on the export device changes Templates periodically expire if they are not refreshed Templates can be refreshed in two ways A template can be resent every N number of export packets A template can also be sent on a timer, so that it is refreshed every N number of minutes Both options are user configurable Table 6 NetFlow Version 9 Field Type Definitions Field Type Value Length (bytes) Description IN_BYTES N (default is 4) Incoming counter with length N x 8 bits for number of bytes associated with an IP Flow IN_PKTS N (default is 4) Incoming counter with length N x 8 bits for the number of packets associated with an IP Flow FLOWS 3 N Number of flows that were aggregated; default for N is 4 PROTOCOL 4 IP protocol byte SRC_TOS 5 Type of Service byte setting when entering incoming interface TCP_FLAGS 6 Cumulative of all the TCP flags seen for this flow L4_SRC_PORT 7 TCP/UDP source port number ie : FTP, Telnet, or equivalent IPV4_SRC_ADDR 8 4 IPv4 source address SRC_MASK 9 The number of contiguous bits in the source address subnet mask ie: the submask in slash notation INPUT_SNMP 0 N Input interface index; default for N is but higher values could be used L4_DST_PORT TCP/UDP destination port number ie: FTP, Telnet, or equivalent IPV4_DST_ADDR 4 IPv4 destination address All contents are Copyright Cisco Systems, Inc All rights reserved This document is Cisco Public Information Page 5 of 3

6 Field Type Value Length (bytes) Description DST_MASK 3 The number of contiguous bits in the destination address subnet mask ie: the submask in slash notation OUTPUT_SNMP 4 N Output interface index; default for N is but higher values could be used IPV4_NEXT_HOP 5 4 IPv4 address of next-hop router SRC_AS 6 N (default is ) Source BGP autonomous system number where N could be or 4 DST_AS 7 N (default is ) Destination BGP autonomous system number where N could be or 4 BGP_IPV4_NEXT_HOP 8 4 Next-hop router's IP in the BGP domain MUL_DST_PKTS 9 N (default is 4) IP multicast outgoing packet counter with length N x 8 bits for packets associated with the IP Flow MUL_DST_BYTES 0 N (default is 4) IP multicast outgoing byte counter with length N x 8 bits for bytes associated with the IP Flow LAST_SWITCHED 4 System uptime at which the last packet of this flow was switched FIRST_SWITCHED 4 System uptime at which the first packet of this flow was switched OUT_BYTES 3 N (default is 4) Outgoing counter with length N x 8 bits for the number of bytes associated with an IP Flow OUT_PKTS 4 N (default is 4) Outgoing counter with length N x 8 bits for the number of packets associated with an IP Flow MIN_PKT_LNGTH 5 Minimum IP packet length on incoming packets of the flow MAX_PKT_LNGTH 6 Maximum IP packet length on incoming packets of the flow IPV6_SRC_ADDR 7 6 IPv6 Source Address IPV6_DST_ADDR 8 6 IPv6 Destination Address IPV6_SRC_MASK 9 Length of the IPv6 source mask in contiguous bits IPV6_DST_MASK 30 Length of the IPv6 destination mask in contiguous bits IPV6_FLOW_LABEL 3 3 IPv6 flow label as per RFC 460 definition ICMP_TYPE 3 Internet Control Message Protocol (ICMP) packet type; reported as ((ICMP Type*56) + ICMP code) MUL_IGMP_TYPE 33 Internet Group Management Protocol (IGMP) packet type SAMPLING_INTERVAL 34 4 When using sampled NetFlow, the rate at which packets are sampled ie: a value of 00 indicates that one of every 00 packets is sampled SAMPLING_ALGORITHM 35 The type of algorithm used for sampled NetFlow: 0x0 Deterministic Sampling,0x0 Random Sampling FLOW_ACTIVE_TIMEOUT 36 Timeout value (in seconds) for active flow entries in the NetFlow cache FLOW_INACTIVE_TIMEOUT 37 Timeout value (in seconds) for inactive flow entries in the NetFlow cache ENGINE_TYPE 38 Type of flow switching engine: RP = 0, VIP/Linecard = ENGINE_ID 39 ID number of the flow switching engine TOTAL_BYTES_EXP 40 N (default is 4) Counter with length N x 8 bits for bytes for the number of bytes exported by the Observation Domain TOTAL_PKTS_EXP 4 N (default is 4) Counter with length N x 8 bits for bytes for the number of packets exported by the Observation Domain TOTAL_FLOWS_EXP 4 N (default is 4) Counter with length N x 8 bits for bytes for the number of flows exported by the Observation Domain *Vendor Proprietary* 43 IPV4_SRC_PREFIX 44 4 IPv4 source address prefix (specific for Catalyst architecture) IPV4_DST_PREFIX 45 4 IPv4 destination address prefix (specific for Catalyst architecture) All contents are Copyright Cisco Systems, Inc All rights reserved This document is Cisco Public Information Page 6 of 3

7 Field Type Value Length (bytes) Description MPLS_TOP_LABEL_TYPE 46 MPLS Top Label Type: 0x00 UNKNOWN 0x0 TE-MIDPT 0x0 ATOM 0x03 VPN 0x04 BGP 0x05 LDP MPLS_TOP_LABEL_IP_ADDR 47 4 Forwarding Equivalent Class corresponding to the MPLS Top Label FLOW_SAMPLER_ID 48 Identifier shown in show flow-sampler FLOW_SAMPLER_MODE 49 The type of algorithm used for sampling data: 0x0 random sampling Use in connection with FLOW_SAMPLER_MODE FLOW_SAMPLER_RANDOM_I NTERVAL 50 4 Packet interval at which to sample Use in connection with FLOW_SAMPLER_MODE *Vendor Proprietary* 5 MIN_TTL 5 Minimum TTL on incoming packets of the flow MAX_TTL 53 Maximum TTL on incoming packets of the flow IPV4_IDENT 54 The IP v4 identification field DST_TOS 55 Type of Service byte setting when exiting outgoing interface IN_SRC_MAC 56 6 Incoming source MAC address OUT_DST_MAC 57 6 Outgoing destination MAC address SRC_VLAN 58 Virtual LAN identifier associated with ingress interface DST_VLAN 59 Virtual LAN identifier associated with egress interface IP_PROTOCOL_VERSION 60 Internet Protocol Version Set to 4 for IPv4, set to 6 for IPv6 If not present in the template, then version 4 is assumed DIRECTION 6 Flow direction: 0 - ingress flow, - egress flow IPV6_NEXT_HOP 6 6 IPv6 address of the next-hop router BPG_IPV6_NEXT_HOP 63 6 Next-hop router in the BGP domain IPV6_OPTION_HEADERS 64 4 Bit-encoded field identifying IPv6 option headers found in the flow *Vendor Proprietary* 65 *Vendor Proprietary* 66 *Vendor Proprietary* 67 *Vendor Proprietary* 68 *Vendor Proprietary* 69 MPLS_LABEL_ 70 3 MPLS label at position in the stack This comprises 0 bits of MPLS label, 3 EXP (experimental) bits and S (end-ofstack) bit MPLS_LABEL_ 7 3 MPLS label at position in the stack This comprises 0 bits of MPLS label, 3 EXP (experimental) bits and S (end-ofstack) bit MPLS_LABEL_3 7 3 MPLS label at position 3 in the stack This comprises 0 bits of MPLS label, 3 EXP (experimental) bits and S (end-ofstack) bit MPLS_LABEL_ MPLS label at position 4 in the stack This comprises 0 bits of MPLS label, 3 EXP (experimental) bits and S (end-ofstack) bit MPLS_LABEL_ MPLS label at position 5 in the stack This comprises 0 bits of MPLS label, 3 EXP (experimental) bits and S (end-ofstack) bit MPLS_LABEL_ MPLS label at position 6 in the stack This comprises 0 bits of MPLS label, 3 EXP (experimental) bits and S (end-ofstack) bit MPLS_LABEL_ MPLS label at position 7 in the stack This comprises 0 bits of MPLS label, 3 EXP (experimental) bits and S (end-ofstack) bit MPLS_LABEL_ MPLS label at position 8 in the stack This comprises 0 bits of MPLS label, 3 EXP (experimental) bits and S (end-ofstack) bit All contents are Copyright Cisco Systems, Inc All rights reserved This document is Cisco Public Information Page 7 of 3

8 Field Type Value Length (bytes) Description MPLS_LABEL_ MPLS label at position 9 in the stack This comprises 0 bits of MPLS label, 3 EXP (experimental) bits and S (end-ofstack) bit MPLS_LABEL_ MPLS label at position 0 in the stack This comprises 0 bits of MPLS label, 3 EXP (experimental) bits and S (endof-stack) bit IN_DST_MAC 80 6 Incoming destination MAC address OUT_SRC_MAC 8 6 Outgoing source MAC address IF_NAME 8 N (default specified in template) Shortened interface name ie: FE/0 IF_DESC 83 N (default specified in template) SAMPLER_NAME 84 N (default specified in template) Full interface name ie: 'FastEthernet /0 Name of the flow sampler IN_ PERMANENT _BYTES 85 N (default is 4) Running byte counter for a permanent flow IN_ PERMANENT _PKTS 86 N (default is 4) Running packet counter for a permanent flow * Vendor Proprietary* 87 FRAGMENT_OFFSET 88 The fragment-offset value from fragmented IP packets All contents are Copyright Cisco Systems, Inc All rights reserved This document is Cisco Public Information Page 8 of 3

9 Field Type Value Length (bytes) Description FORWARDING STATUS 89 Forwarding status is encoded on byte with the left bits giving the status and the 6 remaining bits giving the reason code Status is either unknown (00), Forwarded (0), Dropped (0) or Consumed () Below is the list of forwarding status values with their means Unknown 0 Forwarded Unknown 64 Forwarded Fragmented 65 Forwarded not Fragmented 66 Dropped Unknown 8, Drop ACL Deny 9, Drop ACL drop 30, Drop Unroutable 3, Drop Adjacency 3, Drop Fragmentation & DF set 33, Drop Bad header checksum 34, Drop Bad total Length 35, Drop Bad Header Length 36, Drop bad TTL 37, Drop Policer 38, Drop WRED 39, Drop RPF 40, Drop For us 4, Drop Bad output interface 4, Drop Hardware 43, Consumed Unknown 9, Terminate Punt Adjacency 93, Terminate Incomplete Adjacency 94, Terminate For us 95 When extensibility is required, the new field types will be added to the list The new field types have to be updated on the Exporter and Collector but the NetFlow export format would remain unchanged In some cases the size of a field type is fixed by definition, for example PROTOCOL, or IPV4_SRC_ADDR However in other cases they are defined as a variant type This improves the memory efficiency in the collector and reduces the network bandwidth requirement between the Exporter and the Collector As an example, in the case IN_BYTES, on an access router it might be sufficient to use a 3 bit counter (N = 4), on a core router a 64 bit counter (N = 8) would be required All counters and counter-like objects are unsigned integers of size N * 8 bits All contents are Copyright Cisco Systems, Inc All rights reserved This document is Cisco Public Information Page 9 of 3

10 NetFlow Version 9 Data FlowSet Format The format of the data FlowSet is described in Table 7, and the field descriptions are given in Table 8 Table 7 NetFlow Version 9 Data FlowSet Format FlowSet ID = Template ID Length Record - Field value Record - Field value Record - Field 3 value Record - Field 4 value Record - Field N value Record - Field value Record - Field value Record - Field 3 value Record - Field N value Padding All contents are Copyright Cisco Systems, Inc All rights reserved This document is Cisco Public Information Page 0 of 3

11 Table 8 Field Name NetFlow Version 9 Data FlowSet Field Descriptions Value FlowSet ID = Template ID Length Record N Field N Padding A FlowSet ID precedes each group of records within a NetFlow Version 9 data FlowSet The FlowSet ID maps to a (previously received) template ID The collector and display applications should use the FlowSet ID to map the appropriate type and length to any field values that follow This field gives the length of the data FlowSet Length is expressed in TLV format, meaning that the value includes the bytes used for the FlowSet ID and the length bytes themselves, as well as the combined lengths of any included data records The remainder of the Version 9 data FlowSet is a collection of field values The type and length of the fields have been previously defined in the template record referenced by the FlowSet ID/template ID Padding should be inserted to align the end of the FlowSet on a 3 bit boundary Pay attention that the Length field will include those padding bits When interpreting the NetFlow Version 9 data FlowSet format, note that the fields cannot be parsed without a corresponding template ID If a data FlowSet that does not have an appropriate template ID is received, the record should be discarded NetFlow Version 9 Options Template Format One additional record type is very important within the NetFlow Version 9 specification: an options template (and its corresponding options data record) Rather than supplying information about IP flows, options are used to supply meta-data about the NetFlow process itself The format of the options template is detailed in Table 9, and field descriptions are given in Table 0 Table 9 NetFlow Version 9 Options Template FlowSet ID = Length Template ID Option Scope Length Option Length Scope Field Type Scope Field Length Scope Field N Length Option Field Type Option Field Length Option Field N Length Padding All contents are Copyright Cisco Systems, Inc All rights reserved This document is Cisco Public Information Page of 3

12 Table 0 Field Name NetFlow Version 9 Options Template Field Definitions Value FlowSet ID = Length Template ID Option Scope Length Options Length Scope Field Type Scope Field Length Option Field Type Option Field Length Padding The FlowSet ID is used to distinguish template records from data records A template record always has a FlowSet ID of A data record always has a nonzero FlowSet ID which is greater than 55 This field gives the total length of this FlowSet Because an individual template FlowSet may contain multiple template IDs, the length value should be used to determine the position of the next FlowSet record, which could be either a template or a data FlowSet Length is expressed in TLV format, meaning that the value includes the bytes used for the FlowSet ID and the length bytes themselves, as well as the combined lengths of all template records included in this FlowSet As a router generates different template FlowSets to match the type of NetFlow data it will be exporting, each template is given a unique ID This uniqueness is local to the router that generated the template ID The Template ID is greater than 55 Template IDs inferior to 55 are reserved This field gives the length in bytes of any scope fields contained in this options template (the use of scope is described below) This field gives the length (in bytes) of any Options field definitions contained in this options template This field gives the relevant portion of the NetFlow process to which the options record refers Currently defined values follow: 0x000 System 0x000 Interface 0x0003 Line Card 0x0004 NetFlow Cache 0x0005 Template For example, sampled NetFlow can be implemented on a per-interface basis, so if the options record was reporting on how sampling is configured, the scope for the report would be 0x000 (interface) This field gives the length (in bytes) of the Scope field, as it would appear in an options record This numeric value represents the type of the field that appears in the options record Possible values are detailed in Table 6 above This number is the length (in bytes) of the field, as it would appear in an options record Padding should be inserted to align the end of the FlowSet on a 3 bit boundary Pay attention that the Length field will include those padding bits Examples Example Figure shows an example of the options template Figure Options Template Example Example All contents are Copyright Cisco Systems, Inc All rights reserved This document is Cisco Public Information Page of 3

13 In this example, we are reporting the following 3 Flow records: Src IP addr Dst IP addr Next Hop addr Packet Bytes Number Number Figure diagrams the NetFlow Version 9 export packet Note the following: Export packets can be composed of both template and data FlowSets Template and data FlowSets can be interleaved The template ID in the template record maps to the FlowSet ID in a corresponding data FlowSet The layout of the data in the data record maps to the fields formats defined in the template record Although in this example the template FlowSet that defines template ID 56 happens to be followed by data FlowSets that reference template ID 56, this setup is for illustration purposes only Data records are not necessarily preceded by their corresponding template within an export packet Figure NetFlow Version 9 Export Packet Example All contents are Copyright Cisco Systems, Inc All rights reserved This document is Cisco Public Information Page 3 of 3

14 The Collector or Mediation Device The Collector will receive template definitions from the Exporter, normally before receiving Flow Records The Flow Records can then be decoded and stored locally on the devices In case the template definitions have not been received at the time a Flow Record is received, the Collector should keep the Flow Record for later decode once the template definitions are received A Collector device must not assume that the Data FlowSet and the associated Template IDs are exported in the same Export Packet The Collector must not assume that one and only one Template FlowSet is present in an Export Packet; in rare circumstances, the Export Packet may contain several Template FlowSets Templates live only for a certain timeframe The lifetime of a Template should be deducted on the Collector based upon the time where the last Template FlowSet was received from the Exporter The collector must not attempt to decode the Flow Records with an expired Template The Collector should maintain a similar list: <Exporter, Export Interface, Template ID, Template ID, Template Def, Last Received> If a new Template definition is received (for example in case of an Exporter restart) it should immediately override the existing definition Printed in USA C /07 All contents are Copyright Cisco Systems, Inc All rights reserved This document is Cisco Public Information Page 4 of 3